In WaitForSomething(), the fd_set clientsWritable may be used
unitialized when the boolean AnyClientsWriteBlocked is set in the
WakeupHandler(). This leads to a crash in FlushAllOutput() after
x11proto's commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7.
The problem did not manifest before because both the XFD_SIZE and the
maximum number of clients were set to 256. As the connectionTranslation
table was initalized for the 256 clients to 0, the test on the index not
being 0 was aborting before dereferencing the client #0.
As of commit 2c94cdb453bc641246cc8b9a876da9799bee1ce7 in x11proto, the
XFD_SIZE got bumped to 512. This lead the OutputPending fd_set to have
any fd above 256 to be uninitialized which in turns lead to reading an
index after the end of the ConnectionTranslation table. This index would
then be used to find the client corresponding to the fd marked as
pending writes and would also result to an out-of-bound access which
would usually be the fatal one.
Fix this by zeroing the clientsWritable fd_set at the beginning of
WaitForSomething(). In this case, the bottom part of the loop, which
would indirectly call FlushAllOutput, will not do any work but the next
call to select will result in the execution of the right codepath. This
is exactly what we want because we need to know the writable clients
before handling them. In the end, it also makes sure that the fds above
MaxClient are initialized, preventing the crash in FlushAllOutput().
Thanks to everyone involved in tracking this one down!
Reported-by: Karol Herbst <freedesktop@karolherbst.de>
Reported-by: Tobias Klausmann <tobias.klausmann@mni.thm.de>
Signed-off-by: Martin Peres <martin.peres@linux.intel.com>
Tested-by: Tobias Klausmann <tobias.klausmann@mni.thm.de>
Tested-by: Martin Peres <martin.peres@linux.intel.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=91316
Cc: Ilia Mirkin <imirkin@alum.mit.edu>
Cc: Olivier Fourdan <ofourdan@redhat.com
Cc: Adam Jackson <ajax@redhat.com>
Cc: Alan Coopersmith <alan.coopersmith@oracle.com
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Regression from 990cf5b282
Signed-off-by: Julien Cristau <jcristau@debian.org>
Cc: Andrew Eikum <aeikum@codeweavers.com>
Cc: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Andrew Eikum <aeikum@codeweavers.com>
(cherry picked from commit 524844c8c1)
Fixes DRI2 client driver name mapping for newer AMD GPUs with the
modesetting driver, allowing the DRI2 extension to initialize.
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ac2f27f1a9)
Only treat divisor==0 as async to immediately report the actual vblank.
If the user species a non-zero divisor, we should compute the missed
vblank properly or else we report too early.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Mario Kleiner <mario.kleiner.de@gmail.com>
(cherry picked from commit 413cb2ff1d)
FatalError ends up calling xf86CloseConsole itself, so calling FatalError
from within xf86CloseConsole is not a good idea.
Make switch_to log errors using xf86Msg(X_WARNING, ...) and return success
(or failure).
This makes switch_to match the other error checking done in xf86CloseConsole
which all logs warnings and continues.
Add checking of the return value in xf86OpenConsole and call
FatalError there when switch_to fails, to preserve the error-handling
behavior of xf86OpenConsole.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1269210
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
(cherry picked from commit 2092f12a24)
Patch 3ab6cd31cb fixed Xinerama
interactions with font servers by not putting clients to sleep
multiple times. However, it introduced additional changes dealing with
libXfont routine returning Suspended more than once for the same
request. This additional change was to abandon processing of the
current request and free the closure data by jumping to
'xinerama_sleep' in each of the functions.
Font library functions shouldn't return Suspended more than once,
except for ListFontsWithInfo, which produces multiple replies, and
thus ends up returning Suspended many times during processing.
With the jump to xinerama_sleep occurring after the first reply was
processed, the closure for the request was freed and future calls into
the ListFontsWithInfo callback resulted in dereferencing freed
memory.
This patch removes the added branches, reverting the code to its
previous behaviour, which permitted multiple Suspended returns and
simply waited for the client to be signaled again so that the callback
could continue processing the request.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit f9a04d19ae)
xdmcp.c:1404:1: warning: function 'XdmcpFatal' could be declared with attribute 'noreturn'
[-Wmissing-noreturn,Semantic Issue]
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 9a2a05a9a7)
xdmauth.c:230:13: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of
type
'int'
which may cause truncation of value [-Wabsolute-value,Semantic Issue]
if (abs(now - client->time) > TwentyFiveMinutes) {
^
xdmauth.c:230:13: note: use function 'labs' instead [Semantic Issue]
if (abs(now - client->time) > TwentyFiveMinutes) {
^~~
labs
xdmauth.c:302:9: warning: absolute value function 'abs' given an argument of type 'long' but has parameter of type
'int' which
may cause truncation of value [-Wabsolute-value,Semantic Issue]
if (abs(client->time - now) > TwentyMinutes) {
^
xdmauth.c:302:9: note: use function 'labs' instead [Semantic Issue]
if (abs(client->time - now) > TwentyMinutes) {
^~~
labs
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 85eb90ea45)
rrtransform.c:124:22: warning: using integer absolute value function 'abs' when
argument is of floating point type [-Wabsolute-value,Semantic Issue]
if ((v = abs(f_transform->m[j][i])) > max)
^
rrtransform.c:124:22: note: use function 'fabs' instead [Semantic Issue]
if ((v = abs(f_transform->m[j][i])) > max)
^~~
fabs
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 9f0fcd14b5)
miarc.c:1714:9: warning: using integer absolute value function
'abs' when
argument is of floating point type [-Wabsolute-value,Semantic Issue]
if (abs(parc->angle2) >= 360.0)
^
miarc.c:1714:9: note: use function 'fabs' instead [Semantic Issue]
if (abs(parc->angle2) >= 360.0)
^~~
fabs
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 610dd8a58a)
All the callers were already checking for failure, except that
createSourcePicture() itself was failing to check whether it
successfully allocated the Picture.
[ajax: Rebase, fix line wrap of preceding line]
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
(cherry picked from commit 211d4c2d35)
Set a destructor function on pixman images and call fbFinishAccess()
from there, rather than directly from free_pixman_pict(). This ensures
that fbFinishAccess() gets called even if pixman still has a reference
to the image after free_pixman_pict(), as is the case for alphamaps.
[ajax: Squash an unused variable warning in the non-wfb build]
Reviewed-by: Aaron Plattner <aplattner@nvidia.com>
Signed-off-by: Arcady Goldmints-Orlov <arcadyg@nvidia.com>
Reviewed-by: Søren Sandmann <ssp@redhat.com>
(cherry picked from commit fbac451724)
Check for integer overflow before using stuff->count in a multiplication,
to avoid compiler optimizing out due to undefined behaviour, but only
after we've checked to make sure stuff->count is in the range of the
request we're parsing.
Reported-by: jes@posteo.de
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ca496b7c3)
There's a 'const char *' adventure here that I'm mostly ignoring; some
client information gets const poisoned. Worked around by adding a
couple of casts. Ick.
Added an _X_ATTRIBUTE_PRINTF to SELinuxLog.
Ignore a couple of unused return values.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 9af111fe04)
==11097== 2,048 (+1,640) bytes in 32 (+26) blocks are definitely lost in loss record 1,570 of 1,719
==11097== at 0x4C2A2DB: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11097== by 0x225EF3: SetPicturePictFilter (filter.c:339)
==11097== by 0x22DF4F: ProcRenderSetPictureFilter (render.c:1773)
==11097== by 0x15D25D: Dispatch (dispatch.c:432)
==11097== by 0x14C7B9: main (main.c:298)
[ajax: Fixed whitespace]
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit c7f84c880b)
The correct refresh rate for this mode is 75, not 85.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
(cherry picked from commit 98e170971c)
[ajax: To be clear, we already have code to emit these events, and it
looks like it works, but to get them you'd have had to also ask for one
of the other notify types. This makes it possible to listen for e.g.
ProviderChange alone.]
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Michal Srb <msrb@suse.com>
(cherry picked from commit 91c7acfc34)
These get used at the end of the function in a calculation,
even though the result isn't used its not pretty.
Pointed out by coverity.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 4c7cefe240)
include/site.h says that COMPILEDDISPLAYCLASS is MIT-unspecified, rather
than MIT-Unspecified. Fix the manpage accordingly.
Signed-off-by: Cyril Brulebois <kibi@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 4803f71391)
Adobe-DPS-Extension, DEC-XTRAP, X3D-PEX, XIE
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 1ea8fb96bc)
lbx and mbe.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Tiago Vignatti <tiago.vignatti@nokia.com>
(cherry picked from commit 593270038d)
Based off of glproto 1.4.11.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Robert Hooker <robert.hooker@canonical.com>
(cherry picked from commit 3cd56dd2cf)
gcc quite correctly complains about this:
In file included from ../../include/scrnintstr.h:51:0,
from rootlessValTree.c:98:
In function 'RegionUninit.isra.1',
inlined from 'RegionEmpty' at ../../include/regionstr.h:194:5,
inlined from 'RootlessMiValidateTree' at rootlessValTree.c:490:9:
../../include/regionstr.h:166:9: warning: attempt to free a non-heap object 'RegionBrokenData' [-Wfree-nonheap-object]
free((_pReg)->data);
So that'd crash if you ever got there. RegionNull will do almost the
same thing only without the free(), so let's do that instead; it might
still not be an entirely sane way to recover, but it at least won't
crash.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit fa0bb01899)
There was a complicated scheme to increase the time between keepalives
from 3 minutes up to as much as 24 hours in an attempt to reduce
network traffic from idle X terminals. X terminals receiving X
traffic, or receiving user input would use the 3 minute value; X
terminals without any network traffic would use a longer value.
However, this was actually broken -- any activity in the X server,
either client requests or user input, would end up resetting the
keepalive timeout, so a user mashing on the keyboard would never
discover that the XDMCP master had disappeared and have the session
terminated, which was precisely the design goal of the XDMCP keepalive
mechanism.
Instead of attempting to fix this, accept the cost of a pair of XDMCP
packets once every three minutes and just perform keepalives
regularly.
This will also make reworking the block and wakeup handler APIs to
eliminate select masks easier.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit db1089eafc)
The X server used to wait for the user to hit a key or move the mouse
before restarting the session after a keepalive failure. This,
presumably, was to avoid having the X server continuously spew XDMCP
protocol on the network while the XDM server was dead.
Switching into this state was removed from the server some time before
XFree86 4.3.99.16, so the remaining bits of code have been dead for
over a decade, and no-one ever noticed.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit a3a4029133)
When xf86RandR12Key is not set we will not get to the places where
these tests are done as the functions in question are not called.
In most cases we would have crashed before these checks anyway.
Signed-off-by: Egbert Eich <eich@freedesktop.org>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 3cd7d33380)
As we define sizeFits based on whether a CRTC is active, and skip trying
to redirect the scanout on a disable pipe, we then attempt to undo it
later and fail because crtc->scanout_pixmap != DRI2_Pixmap and
!sizeFits. Paper over this failure by skipping unredirected CRTC when
disabling.
v2: Unwind upon failure
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=84653
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Dave Airlie <airlied@redhat.com>
Reported-by: Christoph Haag <haagch@frickel.club>
Tested-by: Christoph Haag <haagch@frickel.club>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 245040f0d0)
DECnet support died in modularization (X11R7.0)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 9d65a0de95)
The modesetting driver corrupts memory when used after a server regeneration
because not enough memory is allocated for its pixmap privates. This happens
because its call to dixRegisterScreenSpecificPrivateKey() does nothing because
key->initialized is still TRUE from the first server generation. However, the
key is not in the screen's linked list of screen-specific privates because
that's freed and reallocated during the server generation loop in dix_main().
Fix this by clearing key->initialized before CloseScreen and add a call to
dixFreeScreenSpecificPrivates() for GPU screens.
v2: Just set key->initialized to FALSE and move dixFreeScreenSpecificPrivates()
calls to after CloseScreen.
v3: Move dixFreeScreenSpecificPrivates() calls back to just before CloseScreen.
Signed-off-by: Aaron Plattner <aplattner@nvidia.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 82eb490b0a)
Since ProcRenderScale throws BadImplementation anyway it's pointless to
waste time carefully swapping the request.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 67dd34fa73)
This improves the case for when we paint an area without SHM.
xcb_image_subimage() is used to create a subimage for the damaged area, which
is converted to native format if necessary.
Signed-off-by: Ian Scott <ian.scott@arteris.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit a579e6ba77)
Commit 94ab7455 added SA_RESTART to the SIGALRM handler. However, the
Popen code tears down and recreates the SIGALRM handler via OsSignal(),
and this flag is dropped at this time.
Clean the code to use just a single codepath for creating this signal
handler, always applying SA_RESTART.
[ajax: Fixed commit id]
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
(cherry picked from commit 1f915e8b52)
The X server frequently deals with SIGIO and SIGALRM interruptions.
If process execution is inside certain blocking system calls
when these signals arrive, e.g. with the kernel blocked on
a contended semaphore, the system calls will be interrupted.
Some system calls are automatically restartable (the kernel re-executes
them with the same parameters once the signal handler returns) but
only if the signal handler allows it.
Set SA_RESTART on the signal handlers to enable this convenient
behaviour.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Daniel Drake <drake@endlessm.com>
(cherry picked from commit 94ab7455ab)
<termio.h> is obsolete. Using <termios.h> instead fixes building with
musl libc.
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Felix Janda <felix.janda@posteo.de>
(cherry picked from commit e8e3368298)
gcc 5.1 throws a rather amusing warning here:
glxcmdsswap.c: In function ‘__glXSwapQueryExtensionsString’:
glxcmdsswap.c:439:1: warning: function might be candidate for attribute
‘noreturn’ [-Wsuggest-attribute=noreturn]
__glXSwapQueryExtensionsString(__GLXclientState * cl, GLbyte * pc)
This is entirely accurate, albeit curiously phrased: swapping some bits
hanging off the end of a null pointer will make Xdmx crash, so from the
perspective of code generation the function will indeed not return.
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit dfa8b37cfb)
some X manuals use then escape sequence \/ when they want to render
a slash. That's bad because \/ is not a slash but an italic
correction, never producing any output, having no effect at all in
terminal output, and only changing spacing in a minor way in typeset
output.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 634e357be2)
This eliminates a warning generated when miLineArcD is inlined and the
compiler can't figure out that edge1 and edge2 are always initialized
before being used.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit bca4f4b56c)
fixes:
In file included from rootlessWindow.c:51:0:
rootlessWindow.c: In function 'RootlessResizeWindow':
rootlessCommon.h:198:19: warning: declaration of 'w' shadows a parameter [-Wshadow]
WindowPtr w = pWin; \
^
rootlessWindow.c:1292:9: note: in expansion of macro 'HUGE_ROOT'
HUGE_ROOT(pWin);
^
rootlessWindow.c:1262:35: note: shadowed declaration is here
unsigned int w, unsigned int h, WindowPtr pSib)
^
In file included from rootlessWindow.c:51:0:
rootlessCommon.h:207:19: warning: declaration of 'w' shadows a parameter [-Wshadow]
WindowPtr w = pWin; \
^
rootlessWindow.c:1296:9: note: in expansion of macro 'NORMAL_ROOT'
NORMAL_ROOT(pWin);
^
rootlessWindow.c:1262:35: note: shadowed declaration is here
unsigned int w, unsigned int h, WindowPtr pSib)
^
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit d471000436)
Signed-off-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 7f506b8099)
By the time we get here we've already done CloseDownDevices, so on the
second regeneration you get:
Invalid read of size 4
at 0x43402A: RemoveDevice (devices.c:1125)
by 0x427902: xwl_seat_destroy (xwayland-input.c:568)
by 0x42649C: xwl_close_screen (xwayland.c:116)
by 0x4B7F67: CursorCloseScreen (cursor.c:187)
by 0x536003: AnimCurCloseScreen (animcur.c:106)
by 0x539831: present_close_screen (present_screen.c:64)
by 0x43E486: dix_main (main.c:351)
by 0x30D70206FF: (below main) (libc-start.c:289)
Address 0x980e1a0 is 64 bytes inside a block of size 904
at 0x4A07D6A: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x434158: RemoveDevice (devices.c:1157)
by 0x42F77B: CloseDeviceList (devices.c:1017)
by 0x430246: CloseDownDevices (devices.c:1047)
by 0x43E3EB: dix_main (main.c:333)
by 0x30D70206FF: (below main) (libc-start.c:289)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 533fb62739)
By the time we get here we've already been through FreeAllResources,
which has already torn down the RANDR objects, so on the second
regeneration you get:
Invalid read of size 4
at 0x51C6F0: RRCrtcDestroy (rrcrtc.c:659)
by 0x4285F5: xwl_output_destroy (xwayland-output.c:191)
by 0x426464: xwl_close_screen (xwayland.c:112)
by 0x4B7F77: CursorCloseScreen (cursor.c:187)
by 0x536013: AnimCurCloseScreen (animcur.c:106)
by 0x539841: present_close_screen (present_screen.c:64)
by 0x43E496: dix_main (main.c:351)
by 0x30D70206FF: (below main) (libc-start.c:289)
Address 0x4cc6640 is 0 bytes inside a block of size 728 free'd
at 0x4A07D6A: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
by 0x51BCCF: RRCrtcDestroyResource (rrcrtc.c:689)
by 0x45CD91: doFreeResource (resource.c:872)
by 0x45DE56: FreeClientResources (resource.c:1138)
by 0x45DF06: FreeAllResources (resource.c:1153)
by 0x43E3BD: dix_main (main.c:321)
by 0x30D70206FF: (below main) (libc-start.c:289)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
(cherry picked from commit 11f4cc47a8)
Adam Jackson
Martin Peres
Julien Cristau
Michel Dänzer
Chris Wilson
Hans de Goede
Keith Packard
Jeremy Huddleston
Arcady Goldmints-Orlov
Alan Coopersmith
Eric Anholt
Ville Syrjälä
Michal Srb
Dave Airlie
Andrea Canciani
Cyril Brulebois
Tiago Vignatti
Robert Hooker
Egbert Eich
Aaron Plattner
Ian Scott
Daniel Drake
Felix Janda
Ingo Schwarze